#!/bin/sh

if [ -f <%= @data_dir %>/tls.key ] ; then
  echo "[ok] TLS keys for https endpoint"
else
  echo "[create] TLS keys for https endpoint"
  cat > <%= @data_dir %>/request.txt <<INNER_EOF
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = NA
ST = NA
L = NA
O = NA
OU = NA
CN = <%= @name %>.local
[v3_req]
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = <%= @name %>.local
DNS.2 = localhost
IP.1 = 127.0.0.1
INNER_EOF
  openssl req -new -nodes -x509 -days 36500 -newkey rsa:2048 -keyout <%= @data_dir %>/tls.key -out <%= @data_dir %>/tls.crt -config <%= @data_dir %>/request.txt
  rm <%= @data_dir %>/request.txt
  chown -R <%= @user %>:<%= @group %> <%= @data_dir %>
fi

# Check if the secret-key is already set in @env_file
if grep -q "CHANGE-ME" <%= @env_file %> ; then
  echo "[create] Secret-key for web server"
  SECRET_KEY="$( openssl rand -base64 128 | strings | grep -o '[[:alnum:]]' | head -n 64 | tr -d '\n'; echo )"
  sed -i '' -e "s/CHANGE-ME/${SECRET_KEY}/g" <%= @env_file %>
else
  echo "[ok] Secret-key for web server"
fi

# Migrate database
echo "[migrate] Database"
<%= @app_dir %>/bin/<%= @name %> eval "Freedive.Release.migrate"

# Install inotify-tools
if pkg info inotify-tools > /dev/null 2>&1 ; then
  echo "[ok] inotify-tools is installed"
else
  echo "[install] inotify-tools"
  pkg install -U -y inotify-tools
fi


# Install doas
if pkg info doas > /dev/null 2>&1 ; then
  echo "[ok] doas is installed"
else
  echo "[install] doas"
  pkg install -U -y doas
fi

# Configure doas
touch /usr/local/etc/doas.conf
if ! grep -q "permit nopass <%= @user %> as root" /usr/local/etc/doas.conf ; then
  echo "[configure] doas"
  echo "permit nopass <%= @user %> as root" >> /usr/local/etc/doas.conf
else
  echo "[ok] doas is configured"
fi